SecureNow
Back to Introduction
High Risk
Wiki Entry

Missing Strict-Transport-Security (HSTS)

Your site doesn't have the Strict-Transport-Security header. This header forces browsers to always use HTTPS, even if users type 'http://' in the URL.

Why This Matters

Without HSTS, users can accidentally access your site over HTTP, exposing their data to interception. Attackers can also downgrade HTTPS connections to HTTP (SSL stripping attacks) to steal sensitive information.

How to Fix
Framework-specific solutions and general best practices

Add the Strict-Transport-Security header with a long max-age value: 'Strict-Transport-Security: max-age=31536000; includeSubDomains'. This tells browsers to use HTTPS for the next year.

Quick Reference
Severity
High Risk
ID
missing_hsts
AI Assistant Prompt

Copy this prompt to ask an AI for help fixing this vulnerability:

Please fix the "Missing Strict-Transport-Security (HSTS)" security vulnerability in this web application.

The issue is: Your site doesn't have the Strict-Transport-Security header. This header forces browsers to always use HTTPS, even if users type 'http://' in the URL.

Make a plan and implement based on my project.
    SecureNow - Protect Your Websites in minutes, not days